S4x23 Review Part 3: Healthcare Cybersecurity Sessions
COVID Task Force
In 2017, before the pandemic, he was involved in providing a report to improve cybersecurity in the healthcare industry as a member of the Healthcare Cybersecurity Task Force.
The report raised concerns that the healthcare industry was in the critical condition, suggesting severe lack of security talent, legacy equipment, premature/over-connectivity, vulnerabilities impacting patient care, and an epidemic of known vulnerabilities. He later worked on initiatives to protect medical care during the pandemic as the CISA’s COVID Task Force.
One example of their projects was to protect the vaccine supply chain.
First, they analyzed the vaccine supply chain. The 7 candidate vaccines were supported by 23 actors, and they were linked with 4000 suppliers. They prioritized the suppliers based on their impact, dependency, availability of alternatives, and supply shortages, resulting in 66 suppliers to protect. Next, they identified risks to be addressed for the Operation Warp Speed, a US government initiative to accelerate the development, manufacturing, and distribution of the COVID vaccine.
The risks included:
- espionage for development and testing,
- disruption of mass production,
- physical barriers during distribution, and
- mis/dis/mal information of vaccine uptake. One specific case was the distribution of vaccines that needed to be refrigerated.
The problem was a shortage of dry ice and limitation on air transportation. Based on their supply chain analysis, they decided to use resources from cheese distribution to keep dry ice and switch to ground transportation.
Capacity of healthcare delivery
Carrying capacity in health delivery organizations means their capacity to accommodate and process healthcare services. It is supported by three elements: space, supplies, and staff.
During the pandemic, these three elements affected each other, resulting in a total decrease of capacity.
First, the increase in demand for medical care caused a shortage of commodities, leading to delays and a decline in medical care. Second, the shortage of commodities such as personal protective equipment (PPE) increased the exposure of healthcare workers to the virus, resulting in a temporary shortage of staff. Third, the increase in demand for medical care led to prolonged exposure time for healthcare workers, resulting in their infection and absence from work, leading to a decline in treatment.
This had a cascading impact on hospitals in rural areas adjacent to urban areas, endangering the lives of people in the entire region. The rising death toll in the areas where COVID cases were high was not limited to solely people who died from COVID; more people were also dying from other causes than what would be expected. The technical term for this is excess deaths. Excess death data from 2020 captured large increases in deaths from causes other than COVID, including Alzheimer disease, diabetes, heart diseases, and cerebrovascular diseases.
Medical technology
Medical technology supports the three elements, space, supplies, staff of healthcare services that save people’s lives. Ransomware attacks the technologies and disrupts the three elements. It causes a decrease in the capacity of staff especially, which endangers people’s lives. In fact, in 2019, a baby was born with complications and died in Alabama because a clinical physician could not access electronic medical records and patient monitoring systems due to Ransomware attacks. We should never happen it again.
As a statistical analysis by the task force shows a capacity leads to excess deaths. Cyber attacks have short-term and long-term effects on medical care capacity even if it would threaten patient safety directly. Disruption to emergency services, and patient portal access (including viewing medical records, test results, and making appointments). Long-term downstream effects include surgery and cancer treatment cancellations or delays, closure of COVID testing sites, inability to submit radiographic images, and loss of communication with other hospitals. As a result, they need to transfer critical patients to far places, use paper-based records, and suspend high-risk patient care temporarily.
Cyber attacks disrupt medical systems’ ability to access electronic health records (EHR) and perform procedures that require detailed information, such as cardiac technology. This greatly reduces the capacity and leads to situations where new patients cannot be accepted. Transferring critically ill patients requires longer than usual, reducing the bed capacity and lowers bed occupancy rates.
He suggested that people will die without the collaboration of multiple agencies. On a value chain of critical services across multiple sectors, single disruptions have a cascading impact overall. To stratify critical infrastructure, we need to classify the services for life safety as latency-intolerant, latency-sensitive, or latency-insensitive longer than usual, requiring new cross-sectoral constructs.
I think that current medical services are maintained by various technologies, and hospitals themselves need to gain their resilience to cyber threats in the value chain across multiple sectors. Trend Micro evangelist discussed the ransomware landscape, cybersecurity challenges within hospitals, and cybersecurity strategy to protect patients’ health information and critical operations in on-demand webinar. Please refer to here.
In the next forth post, I will report on the discussion about Industrial IoT in manufacturing.
Reference: